Social media firms rapped on knuckles on privacy

Google, Facebook, Twitter and other social networking sites operating here have been given a break from a Conservative-dominated parliamentary committee looking into how they handle personal information of users.

With the urging of the information technology industry, the House of Commons standing committee on access to information and privacy refused Wednesday to recommend the Harper government give the federal privacy commissioner power to fine companies for breaking federal privacy law.

Instead the majority on the committee recommended the commissioner establish guidelines to help social media and data management companies develop practices that fully comply with the federal (PIPEDA).

The committee recommended the commissioner work with the private sector despite expressing concern that “major social media companies, while doing business in Canada, prefer to be governed by laws other than those of this country.”

The committee also acknowledged that there are “difficulties” when Canadians are asked by social media to consent to the use of personal information because of the language they use in agreements.

Still, it only recommended the privacy commissioner create guidelines for social media companies so their use policies are “drafted in clear, accessible language that facilitates meaningful and ongoing consent.”

Karna Gupta, CEO of the Information Technology Association of Canada (ITAC), which represents major players in the IT industry, was among the social media companies like Google, Twitter and Facebook who told the committee that there’s no need to expand regulatory power.

“The Privacy Commissioner has the trust of the industry today and they work extremely well together on an on -going basis,” he said in a submission. “The industry’s view is that they would like to see it stay that way.”

Finally, the majority on the committee decided not to touch legislation before Parliament to update PIPEDA, Bill C-12, which gives all corporations the option of telling the privacy commissioner if there has been a loss of personal data of customers. Some privacy experts and the opposition NDP have called for corporations to be forced to disclose if there is a privacy breach.

That legislation, introduced in 2011, still has to have separate formal hearings before committees. However, the privacy committee’s refusal to suggest a change hints that the Harper government won’t alter that section.

PIPEDA gives the privacy commissioner power to investigate personal information breaches by the private sector (unless covered by provincial laws), make non-binding recommendations and mediate disputes between organizations and the public – in other words, the commissioner is an ombudsman.

The federal commissioner does have the ability to sue an organization in Federal Court for privacy breaches, and a judge can issue any remedy.

In essence, the committee said that was enough power for the commissioner.

The official opposition New Democrats on the committee called for the privacy commissioner’s punitive powers to be enhanced, and for organizations to be forced to report losses of personal data.

David Fraser, a Halifax lawyer who specializes in privacy law, said the committee’s recommendations were “relatively sensible.”

He represents businesses that have been before the federal privacy commissioner and says they have been “substantially influenced” by the fact that the regulator doesn’t have punitive powers.

The commissioner shouldn’t be judge and jury, he said, unless the office is reorganized to run the way the federal human rights commission is.

If the privacy commissioner creates guidelines for the private sector, it will help businesses understand where the regulator is coming from, he added.

“In my view, with the emergence of Internet giants, the balance intended by the spirit and letter of PIPEDA is at risk,” she told the committee. “The quasi- monopoly of these multinationals has made PIPEDA’s soft approach, based on non-binding recommendations and the threat of reputation loss, largely ineffective, I believe.

“We have seen organizations ignore our recommendations until the matter goes to court. We have seen large corporations, in the name of consultation with my office, pay lip service to our concerns and then ignore our advice.

“Moreover, with vast amounts of personal information held by organizations on increasingly complex platforms, the risk of significant breaches and of unexpected, unwanted, or even intrusive uses of that information calls for commemensurate safeguards and financial consequences not currently provided for in PIPEDA.”

Stoddard told the committee that social media companies can quickly amass a staggering amount of personal information. In addition to the preferences, habits, and social interactions of their users, they also collect vast amounts of background information that is not visible on public profiles, including search histories, purchases, Internet sites visited, and the content of private messages.

The committee acknowledged that personal information is a valued commodity by social media companies.

However, a number of companies that testified insisted they de-identify the data they use for creating online products.

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Award Winning Journalism

About Us

The Content Experts

For almost three decades we have been building solid relationships with Canada’s IT professionals by delivering timely, incisive information that helps them succeed in their jobs. Today, more than 75,000 IT executives and professionals – representing 70 per cent of the buying power in Canada – turn to us for the information they trust.